fix(security): harden VNC to require password authentication (#1939, #1940)

.gitignore

@@ -357,7 +357,9 @@ tmp/
 *.7z
 
 # TLS Certificates (generated by scripts/security/generate-tls-certificates.sh)
+# Note: docker/certs/ has tracked scripts — only ignore generated cert files
 certs/
+!docker/certs/
 *.pem
 *.csr
 *.key

autobot-backend/api/vnc_manager.py

@@ -145,10 +145,9 @@ def start_vnc_server() -> Dict[str, str]:
                 "-localhost",
                 "no",
                 "-SecurityTypes",
-                "None",
+                "VncAuth,TLSVnc",
                 "-rfbport",
                 "5901",
-                "--I-KNOW-THIS-IS-INSECURE",
                 "-geometry",
                 "1920x1080",
                 "-depth",

autobot-infrastructure/shared/scripts/infrastructure/browser-vnc.service

@@ -1,3 +1,10 @@
+# AutoBot - AI-Powered Automation Platform
+# Copyright (c) 2025 mrveiss
+# Author: mrveiss
+#
+# TigerVNC Server for Browser VM — headed Playwright mode (#1939)
+# Requires: ~/.vnc/passwd (set with `vncpasswd`)
+
 [Unit]
 Description=TigerVNC Server for Browser VM
 After=network.target
@@ -7,7 +14,8 @@ Type=forking
 User=autobot
 WorkingDirectory=/home/autobot
 ExecStartPre=-/usr/bin/vncserver -kill :1
-ExecStart=/usr/bin/vncserver :1 -localhost no -SecurityTypes None -rfbport 5901 --I-KNOW-THIS-IS-INSECURE -geometry 1920x1080 -depth 24
+ExecStartPre=/bin/sh -c 'test -f /home/autobot/.vnc/passwd || (echo "VNC password not set — run vncpasswd first" && exit 1)'
+ExecStart=/usr/bin/vncserver :1 -localhost no -SecurityTypes VncAuth,TLSVnc -rfbport 5901 -geometry 1920x1080 -depth 24
 ExecStop=/usr/bin/vncserver -kill :1
 Restart=on-failure
 RestartSec=10

autobot-infrastructure/shared/scripts/setup_browser_vnc.sh

@@ -1,6 +1,10 @@
 #!/bin/bash
-# Automated VNC setup for Browser VM (172.16.168.25)
-# Provides visual browser viewing for collaborative user/agent interaction
+# AutoBot - AI-Powered Automation Platform
+# Copyright (c) 2025 mrveiss
+# Author: mrveiss
+#
+# Automated VNC setup for Browser VM — headed Playwright mode (#1939)
+# Uses VncAuth (password-protected). Requires vncpasswd to be set.
 
 set -e
 
@@ -12,82 +16,86 @@ SSH_KEY="${AUTOBOT_SSH_KEY:-$HOME/.ssh/autobot_key}"
 BROWSER_USER="${AUTOBOT_SSH_USER:-autobot}"
 
 echo "========================================="
-echo "AutoBot Browser VM VNC Setup"
+echo "AutoBot Browser VM VNC Setup (Secure)"
 echo "========================================="
 echo ""
 
-# Function to run command on Browser VM
 run_on_browser_vm() {
     ssh -i "$SSH_KEY" "$BROWSER_USER@$BROWSER_VM_IP" "$@"
 }
 
 # Step 1: Check if VNC components are installed
-echo "[1/6] Checking VNC installation..."
+echo "[1/7] Checking VNC installation..."
 if run_on_browser_vm "dpkg -l | grep -q tigervnc-standalone-server"; then
-    echo "✓ TigerVNC already installed"
+    echo "  TigerVNC already installed"
 else
-    echo "✗ TigerVNC not found - please run installation first"
+    echo "  TigerVNC not found - please run installation first"
     exit 1
 fi
 
-# Step 2: Kill any existing VNC servers
-echo "[2/6] Cleaning up existing VNC sessions..."
+# Step 2: Verify VNC password is set
+echo "[2/7] Verifying VNC password..."
+if run_on_browser_vm "test -f /home/autobot/.vnc/passwd"; then
+    echo "  VNC password file exists"
+else
+    echo "  VNC password not set. Setting now..."
+    echo "  (You will be prompted to enter a VNC password)"
+    run_on_browser_vm "mkdir -p /home/autobot/.vnc && vncpasswd /home/autobot/.vnc/passwd"
+fi
+
+# Step 3: Kill any existing VNC servers
+echo "[3/7] Cleaning up existing VNC sessions..."
 run_on_browser_vm "vncserver -kill :1 2>/dev/null || true"
 run_on_browser_vm "pkill -9 websockify 2>/dev/null || true"
-echo "✓ Cleanup complete"
+echo "  Cleanup complete"
 
-# Step 3: Start VNC server (matches main machine setup)
-echo "[3/6] Starting VNC server on display :1..."
+# Step 4: Start VNC server with password auth
+echo "[4/7] Starting VNC server on display :1 (VncAuth)..."
 run_on_browser_vm "/usr/bin/vncserver :1 \
     -localhost no \
-    -SecurityTypes None \
+    -SecurityTypes VncAuth,TLSVnc \
     -rfbport 5901 \
-    --I-KNOW-THIS-IS-INSECURE \
     -geometry 1920x1080 \
     -depth 24"
-echo "✓ VNC server started on :1 (port 5901)"
+echo "  VNC server started on :1 (port 5901, password-protected)"
 
-# Step 4: Start websockify for noVNC access
-echo "[4/6] Starting websockify for noVNC..."
+# Step 5: Start websockify for noVNC access
+echo "[5/7] Starting websockify for noVNC..."
 run_on_browser_vm "nohup /usr/bin/websockify \
     --web /usr/share/novnc \
     0.0.0.0:6080 \
     localhost:5901 \
     > /tmp/websockify.log 2>&1 &"
 sleep 2
-echo "✓ websockify started on port 6080"
+echo "  websockify started on port 6080"
 
-# Step 5: Configure Playwright for headed mode
-echo "[5/6] Configuring Playwright for headed mode..."
-run_on_browser_vm "cd /home/autobot && cat > .env << 'EOF'
+# Step 6: Configure Playwright for headed mode
+echo "[6/7] Configuring Playwright for headed mode..."
+run_on_browser_vm "cd /home/autobot && cat > .env << 'ENVEOF'
 # Playwright configuration - headed mode for VNC visibility
 HEADLESS=false
 DISPLAY=:1
-EOF"
-echo "✓ Playwright configured for headed mode on DISPLAY :1"
+ENVEOF"
+echo "  Playwright configured for headed mode on DISPLAY :1"
 
-# Step 6: Restart Playwright server
-echo "[6/6] Restarting Playwright server..."
+# Step 7: Restart Playwright server
+echo "[7/7] Restarting Playwright server..."
 run_on_browser_vm "pkill -f playwright-server.js 2>/dev/null || true"
-run_on_browser_vm "cd /home/autobot && mkdir -p logs && nohup node playwright-server.js > logs/playwright.log 2>&1 &"
+run_on_browser_vm "cd /home/autobot && mkdir -p logs && \
+    nohup node playwright-server.js > logs/playwright.log 2>&1 &"
 sleep 3
-echo "✓ Playwright server restarted"
+echo "  Playwright server restarted"
 
 echo ""
 echo "========================================="
-echo "✓ Browser VM VNC Setup Complete!"
+echo "  Browser VM VNC Setup Complete!"
 echo "========================================="
 echo ""
-echo "VNC Access:"
+echo "VNC Access (password-protected):"
 echo "  - VNC Server: $BROWSER_VM_IP:5901"
 echo "  - noVNC Web:  http://$BROWSER_VM_IP:6080/vnc.html"
 echo ""
 echo "Playwright:"
 echo "  - API Server: http://$BROWSER_VM_IP:3000"
 echo "  - Mode: Headed (visible browser on VNC)"
 echo ""
-echo "Next steps:"
-echo "  1. Test VNC connection: http://$BROWSER_VM_IP:6080/vnc.html"
-echo "  2. Update frontend VNC URL configuration"
-echo "  3. Test collaborative browser viewing"
-echo ""

autobot-infrastructure/shared/scripts/utilities/fix-vnc-desktop.sh

@@ -34,8 +34,10 @@ EOF
 chmod +x /home/kali/.vnc/xstartup
 chown kali:kali /home/kali/.vnc/xstartup
 
-# Create VNC password
-echo "kali" | vncpasswd -f > /home/kali/.vnc/passwd
+# Create VNC password (random, displayed once)
+VNC_PASSWORD="${VNC_PASSWORD:-$(openssl rand -base64 12)}"
+echo "$VNC_PASSWORD" | vncpasswd -f > /home/kali/.vnc/passwd
+echo "Generated VNC password: $VNC_PASSWORD"
 chmod 600 /home/kali/.vnc/passwd
 chown kali:kali /home/kali/.vnc/passwd
 
@@ -109,4 +111,4 @@ ss -tlnp | grep -E "5901|6080" || echo "Waiting for ports..."
 
 echo ""
 echo "Done! Access noVNC at http://localhost:6080"
-echo "VNC password: kali"
+echo "VNC password was displayed during setup (search output above)"

autobot-infrastructure/shared/scripts/utilities/fix-vnc-wsl.sh

@@ -70,7 +70,9 @@ EOF
 # Ensure password file exists
 mkdir -p /home/kali/.vnc
 if [ ! -f /home/kali/.vnc/passwd ]; then
-    x11vnc -storepasswd kali /home/kali/.vnc/passwd
+    VNC_PASSWORD="${VNC_PASSWORD:-$(openssl rand -base64 12)}"
+    x11vnc -storepasswd "$VNC_PASSWORD" /home/kali/.vnc/passwd
+    echo "Generated VNC password: $VNC_PASSWORD"
 fi
 chown -R kali:kali /home/kali/.vnc
 
@@ -101,4 +103,4 @@ ss -tlnp | grep -E "5900|6080" || echo "Ports not yet listening"
 
 echo ""
 echo "Done! noVNC should be at http://localhost:6080"
-echo "VNC password: kali"
+echo "VNC password was displayed during setup (search output above)"

autobot-infrastructure/shared/scripts/utilities/start-isolated-vnc.sh

@@ -1,12 +1,25 @@
 #!/bin/bash
-# Start VNC with complete isolation from local display
+# AutoBot - AI-Powered Automation Platform
+# Copyright (c) 2025 mrveiss
+# Author: mrveiss
+#
+# Start VNC with complete isolation from local display (#1939)
+# Uses VncAuth (password-protected). Requires ~/.vnc/passwd.
 
-# Kill any existing VNC sessions
-vncserver -kill :2 2>/dev/null
+set -e
+
+# Verify VNC password exists
+if [ ! -f "$HOME/.vnc/passwd" ]; then
+    echo "VNC password not set. Run 'vncpasswd' first."
+    exit 1
+fi
+
+# Kill any existing VNC sessions on display :2
+vncserver -kill :2 2>/dev/null || true
 
 # Kill any XFCE processes that might be on wrong display
-pkill -f xfce4-panel 2>/dev/null
-pkill -f xfdesktop 2>/dev/null
+pkill -f xfce4-panel 2>/dev/null || true
+pkill -f xfdesktop 2>/dev/null || true
 
 # Start VNC in completely clean environment - no local display access
 env -i \
@@ -18,9 +31,8 @@ env -i \
     vncserver :2 \
     -geometry 1920x1080 \
     -depth 24 \
-    -SecurityTypes None \
-    -localhost no \
-    --I-KNOW-THIS-IS-INSECURE
+    -SecurityTypes VncAuth,TLSVnc \
+    -localhost no
 
-echo "VNC server started on display :2"
-echo "Access via: http://192.168.168.17:6080/vnc.html"
+echo "VNC server started on display :2 (password-protected)"
+echo "Connect with a VNC client on port 5902"